(replying to my own mail at gun^Wflamethrower-point) On Mon, Oct 18, 2004 at 03:02:47PM +0200, Jeroen van Wolffelaar wrote: > On Mon, Oct 18, 2004 at 07:44:29AM -0500, Branden Robinson wrote: > > Is there a FAQ somewhere that will tell me why I always get "REJECTED" > > mails from katie after submitting security-fixed packages to the Debian > > Security Team? > > > > I get one for each architecture. > > > > I seem to remember asking Debian Installer > > <[EMAIL PROTECTED]> before, but never getting an answer. > > The problem is that stable-security is a separate archive, and requires > a sourceful upload. Give the '-sa' option to dpkg-buildpackage to > overrule the heuristic that says only -1 and -0 packages need to have > their source included.
Branden Robinson told me that however he did prepare the upload, it was his understanding that the security team would not use it as-is, but rebuild it. They didn't, and due to Branden's assumption, he didn't think he needed to follow the guidelines specific to how exactly to dpkg-buildpackage the upload for security updates. > Also see http://www.debian.org/doc/developers-reference/ch-pkgs#s-bug-security > which says to simply mail updated packages to the security team, and to > not normally upload them yourself. So it was the security team who uploaded Branden's packages as-is. Sorry for assuming wrong, but something like this is uncheckable as the signature was Branden's. > A subsection of this section has also the answer to your question: > > | Unless the upstream source has been uploaded to security.debian.org > | before (by a previous security update), build the upload with full > | upstream source (dpkg-buildpackage -sa). If there has been a previous > | upload to security.debian.org with the same upstream version, you may > | upload without upstream source (dpkg-buildpackage -sd). This text is by the way incomplete. It should say "If there has been a previous upload ... same upstream version _since the latest point release_, you may upload without upstream source". Or even better, just change it to 'always use -sa', as having multiple security updates for one package between the same point releases is rare, and even if so, the extra bandwidth used during upload is neglectible (and it can't hurt). --Jeroen -- Jeroen van Wolffelaar [EMAIL PROTECTED] (also for Jabber & MSN; ICQ: 33944357) http://Jeroen.A-Eskwadraat.nl
